Open 89ao opened 3 months ago
This is a good question about deletion here since bandersnatch detects it and nice proposed addition.
I would accept a new config parameter driven deletion there (maybe delete_missing_packages
) that defaults to false in default.conf and then uses the metadata to deletes all of the package blobs and simple API files.
Thanks!
Thanks a lot @cooperlees ! Looking forward to seeing the feature implemented as soon as possible.
Taking the package tohoku-tus-iot-automation as an example, I saw from the logs that this package was synced down from the official source on March 6th. By March 7th, bandersnatch had detected that the upstream had already removed it (due to the package containing malicious information collection backdoors and trojans). However, our local bandersnatch had not yet deleted it. On March 18th, during troubleshooting by our operations team, they discovered this issue and manually executed "bandersnacth delete tohoku-tus-iot-automation" to remove it.
My question is, since Bandersnatch can detect that the upstream has removed https://github.com/pypa/bandersnatch/blob/main/src/bandersnatch/mirror.py#L125, why wasn't there consideration given to adding the ability for automatic deletion (or a switch)? Are there any other considerations or scenarios that prevent us from doing so?